Largest Known Healthcare Breach Affects Nearly 80 Million

Author: Ashley Shaw, XpertHR Legal Editor

February 6, 2015

Anthem Inc., the second largest health insurance company in the nation, was recently breached by hackers who gained access to the unencrypted personal information of nearly 80 million members and nonmembers, including the company's president/CEO and employees. This is the largest known breach of a healthcare company, and possibly the largest security breach ever. The next largest breach, which occurred last year to Community Health Systems, affected approximately 4.5 million patients.

In this "very sophisticated" attack, as described by Anthem on their website, hackers obtained access to all of the following types of information, among others:

  • Names;
  • Social Security Numbers;
  • Employment information;
  • Income information; and
  • Medical IDs.

However, no evidence has been found that credit card or medical information, such as test results, was compromised, which means the HIPAA rules regulating confidentiality of information do not apply.

The source of the attack has yet to be determined. But what is known is that all Anthem brands were affected. Anthem is cooperating with an FBI investigation into the matter, as well as with the HITRUST Cyber Threat Intelligence and Incident Coordination Center. This joint effort has helped HITRUST determine that Anthem was the only target in the cyberattack. Anthem is also working with a major cybersecurity firm in an effort to spot and correct system vulnerabilities.

In the meantime, Anthem plans to notify each affected current and former member about the breach and will also offer free credit monitoring and identity protection. More information is provided on Anthem's website. A telephone hotline is also available at 1-877-263-7995.

Data breaches like this, and others that affected Sony and New York-Presbyterian Hospital, have become a major problem for organizations over the last several years. They serve as a wakeup call for employers to ensure that they have strong security protocols in place, especially those relating to personal data encryption.